Jump to content


Messenger Plus - Damn..

  • Please log in to reply
1 reply to this topic

#1 ldodman



  • New Member
  • Pip
  • 2 posts

Posted 27 July 2004 - 11:03 PM

I was stupid enough to install Messneger Plus on my computer. There is no uninstall with it and it's not in the control panel. Is there a way to unistall the program and then get rid of it all? Can I uninstall Messenger, will the Plus go away too?

I have run Spybot and still need help my browser IE is still getting hijacked..

I am posting my hijack log for help, thank you very much..


Logfile of HijackThis v1.97.7
Scan saved at 11:57:27 PM, on 27/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.c...age/Nethome.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C:/Program%20Files/Netscape/Home%20Page/Nethome.htm"); (C:\Documents and Settings\Les Dodman\Application Data\Mozilla\Profiles\default\p3q9aj7v.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Les Dodman\Application Data\Mozilla\Profiles\default\p3q9aj7v.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07C467FF-40F3-CED6-A5CD-EF59F04EFA8A} - C:\PROGRA~1\MULTIM~1\way 1.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Grey Dart] C:\PROGRA~1\Proc 01\That Clock.exe
O4 - HKLM\..\Run: [move rule junk ante] C:\Documents and Settings\All Users\Application Data\BUILD TWO MOVE RULE\loud barb.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OptiCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\OptiCAL\OptiCAL.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7849.7258333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 ldodman



  • New Member
  • Pip
  • 2 posts

Posted 30 July 2004 - 08:59 AM

It took me the better part of a day but I got rid of it....... I think and hope..

First thing I did was reinstall Messenger Plus to get the Unistall engine on board, then unistalled it. However, as you would guess it didn't get rid of the malware as it suggests it would..

I did everything in your FAQ, used all the programs, virus scanner, torjan scanner, XCleaner, Adware, Spybot (which I use regularly), ETC.. found and deleted files as the scanners suggested. That would work for a short time and then the browser Hijack would come back.. Used a reg cleaner...

I had to go into my startup, find and stop programs I thought were the problem. Turned out to be one called "That Clock" and another called Meow somthing...

I found the files on my computer and renamed them, this worked great.. until the next day when the hijacker sent files of another name, "Test Tray".. all executable files by the way.. I renamed and this once again cured my hijack temporarily.. Once again I ran all the virus, hijack, trojan etc programs as suggested in the faq including Reg Cleaners. Unfortunately this still left keys in my Registry.

Once I had done this I went into my registry and manually looked up and deleted every instance I could find of all the files that the hijacker had put on my computer. Then deleted the executables off the hard drive after looking to see if there was an unistall program (no way).

It's been three days since I was infected and so far so good, let's keep our fingers crossed...

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!